Avoid an out-of-bounds read on a recovery attempt using a carefully crafted

database and rollback journal with mismatched page sizes. The test case for this is in TH3. FossilOrigin-Name: 378afa16381a222aafa6009dbbbc92473a69683537f1c265694678b0595a42c8
2025-08-05 15:55:57 +03:00 · 2017-09-14 02:36:27 +00:00
parent bb6896226f
commit 263a8b660f
3 changed files with 11 additions and 11 deletions
--- a/src/pager.c
+++ b/src/pager.c
@@ -2844,12 +2844,13 @@ static int pager_playback(Pager *pPager, int isHot){
  ** pager_playback_one_page() call returns SQLITE_DONE or an IO error 
  ** occurs. 
  */
-  while( 1 ){
+  do{
    /* Read the next journal header from the journal file.  If there are
    ** not enough bytes left in the journal file for a complete header, or
    ** it is corrupted, then a process must have failed while writing it.
    ** This indicates nothing more needs to be rolled back.
    */
+    u32 savedPageSize = pPager->pageSize;
    rc = readJournalHdr(pPager, isHot, szJ, &nRec, &mxPg);
    if( rc!=SQLITE_OK ){ 
      if( rc==SQLITE_DONE ){
@@ -2931,9 +2932,8 @@ static int pager_playback(Pager *pPager, int isHot){
        }
      }
    }
-  }
-  /*NOTREACHED*/
-  assert( 0 );
+    rc = sqlite3PagerSetPagesize(pPager, &savedPageSize, -1);
+  }while( rc==SQLITE_OK );

 end_playback:
  /* Following a rollback, the database file should be back in its original